There are big loss from data breach incidents world wide in 3 M to 7.4 M USD. All incidents caused by malicious attacks form Internet hackers for economic purpose. It's introduced the 1st best performance tools of Web Apps security scan and malicious URL detection worldwide. OWASP tools is 82% detect rate by SAST and DAST using exploit codes, So performance is 1/50 than tools shown in this presentation. APT malware are form Email Phishing and web malware links. Through the tools - Bit Scanners and PCDS provides the services in lowest cost like monthly pay to show user';s loss to half.
2. Abstracts 1
• Target : CIA(Confidentiality, Integrity, Availability)
• 2 Major Cyber Security Controls
• Protect Data Breach & Service Down
• No Software Vulnerability and Abusing
• No Web Apps Attacks and APT Malware Attacks
• General Security Control Measure Enhancement
• Set Up Security Controls 10 - 20 at least
• Excellent Tools and Persons and Well Trained and Educated
• Real Time Security Risk Management
• With Cloud Computing
2020-08-25 비용효과적인 사이버보안 전략 2
Client ServerRequest
Respond
Client - Server Internet
Exploit
Vulnerable
3. Data Breach : 3.86 M USD
• 524 Incident, 17 Countries and Industries
• Malware Attacks 52% : Account(19%), Cloud(19%), SW(16%),
Phishing(14%)
Major Security Control Up : Down to 2 M USD
• Web APPS : Bit Scanner 100%
• TCP/IP Web Detect, Internet. Mobile, IoT
• Crawling, Attack Simulation. Recovery Codes
• OWASP : SAST 82%, DAST : Real Attacks(No Guarantee)
• APT Malware : PCDS & HIDS
• PCDS : 현재 20만 Black List and Update(Regex Analysis)
• HIDS : 각 PC Real Time Abusing Detect(Reverse Engineering)
2020-08-25 비용효과적인 사이버보안 전략 3
1. Cost of a Data Breach Report https://www.ibm.com/security/data-breach
2. https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
Abstracts 2
4. Contents
1. Data Protection
2. Major Security Items
• Web Apps Vulnerabilities
• APT Malware Abusing
• Penetration Test
3. Cyber Security Controls
• Set Up Security Controls
• Security Control Data Gathering and Analyzing
4. Cost Benefit Analysis
5. Conclusion
Add 1: Security Professionals
Add 2:
2020-08-25 비용효과적인 사이버보안 전략 4
1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Risk Management
Risk
Intelligence
Risk
Event/Data
Business
Analyzing
5. Data Protection
2020-08-25 비용효과적인 사이버보안 전략 5
1. https://www.slideshare.net/DataReportal/digital-2020-global-digital-overview-january-2020-v01-226017535/8-
9JAN2020SOURCES_POPULATION_UNITED_NATIONS_LOCAL
2. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
3. https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf
Digital Internet Economy, 4.5 B Internet Users(59%)
Data Breach Incident : Privacy, intellectual property
• Adobe, eBay, Equifax, Heartland Payment Systems LinkedIn,
Marriott International, Yahoo
Cyber Terror : Service Down Attacks by North Korea
• 320 Cyber Terror, 77DDOS, 125 Terror
More Internet Attack Space and Criminals
• Web, Mobile and IoT Sensors
• China, North Korea, Russia
• Cyber Crime : 6 Trillians
6. Data Protection
2020-08-25 비용효과적인 사이버보안 전략 6
1. https://www.ibm.com/security/data-breach
Cost 3.86 MD from 524 Data Breach Incidents
Health Care Industry, 280 Days to Detect
• 150 USD cost/record
• Security Controls Problem ; Technical Issues : 52%(Web, APT/Phishing)
Attack 52%
System 25%
Person 23%
China CERT Security Vulnerability Trends (Boan News)
7. 2 Major Security Controls 1
2020-08-25 비용효과적인 사이버보안 전략 7
1. 해킹의 비밀을 푸는 KEY 15, http://www.yes24.com/Product/Goods/8358065
2. Advanced Persistent Threats: A Decade in Review, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/C5_APT_ADecadeInReview.pdf
3. https://content.fireeye.com/apt/rpt-apt38
Pen Test via Contract Company
Find Web Apps Vulnerability
RAT Attack
Data Breach – Intellectual Property
Attack to Main Company
Bank Penetration Test
APT Malware
Penetration Test
Company Penetration Test
Web Apps
Prepare APT Malware Code
Edit RAT Tools, Consult Virus Total
Email Using Social Engineering
Bypass ASS
30- 40 Victim PC, DB Manager
Critical Issues in AVS
8. 2 Major Security Controls 2
2020-08-25 비용효과적인 사이버보안 전략 8
1. https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf
• Need Security Controls “Daily”
• Web Apps Vulnerability Scan
APT Malware Scan
• Web 1.5 Billion Web Sites
• Software 1,100 B New Codes
• Contents 2020 96 Zeta Bytes
• Dark Web Dark Web Crime Services
There are 111 billion lines of new software code being
produced each year — which introduces a massive
number of vulnerabilities that can be exploited.
9. Web Apps Security 1
2020-08-25 비용효과적인 사이버보안 전략 9
1. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
2. http://www.opennaru.com/opennaru-blog/owasp-zap-devops-and-security/
3. http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308
10. Web Apps Security 2
2020-08-25 비용효과적인 사이버보안 전략 10
1. https://www.dhs.gov/science-and-technology/news/2019/11/26/snapshot-top-25-most-dangerous-software-errors
2. 위험관리 기반의 비용 효율적인 실시간 웹 애플리케이션 소프트웨어 보안취약점 테스팅, http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308
From smartphone games and personal email accounts to
international banking and hospital records, software is
everywhere. It entertains, boosts efficiency, and even saves
lives. Unfortunately, for every new program developed, there is
likely a hacker ready to disrupt and exploit it. That’s why it is
vital for software designers, developers, and cybersecurity
experts to keep apprised of potential weaknesses that could
cause substantial damage to their computer systems. – DHS
Korea made a model that considers all program vulnerabilities
linked in TCP/IP HTTP Web communication with the Client
Server Internet
• Web HTTP with Web, Mobile and IoT
• There are exploit codes in Client to attack vulnerable server
• Using attack simulation in HTTP
• OWASP Tools Try SAST(82%), DAST(No Web Service Guarantee)
• SDLC & DevOps Model
11. Web Apps Security 3
2020-08-25 비용효과적인 사이버보안 전략 11
1. https://www.dailysecu.com/news/articleView.html?idxno=1308
2. http://journalhome.ap-northeast-2.elasticbeanstalk.com/journals/jkiisc/digital-library/23308
3. https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
“Similar services exist in Japan. But in the end, the reason I chose Korean tools
was because of two advantages.” “First, it was too powerful compared to other
services in terms of speed. As a result of testing on several company sites, the
light scan service was completed in 8 minutes that other companies' products took
more than 8 hours. Another advantage is that it does not damage the website at
all while checking quickly.” -Director Masaharu Shirasugi, IWI Group, Japan
50 times the speed (OWASP 8 hours, Light Scan Co., Ltd. 8 minutes)
SDLC VS DevOps 체계
Server Programs can be Revised any Time
OWASP 도구 : SAST 82%
13. APT Malware Detection 1
2020-08-25 비용효과적인 사이버보안 전략 13
1. https://us-cert.cisa.gov/northkorea
2. https://globalcybersecurityreport.com/2017/08/04/dhs-st-announces-commercialization-of-renigma-malware-reverse-engineering-tool/
Malware?
Code in abnormal in PC. Web, Mobile
Web Malware URL, Email. Mobile
Execution of Malware
14. APT Malware Detection 2
2020-08-25 비용효과적인 사이버보안 전략 14
https://us-cert.cisa.gov/northkorea
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
HIDS 악성코드 탐지
Host Intrusion Detection
1. Scan all PC disk NEW Files
2. Analyze Using “Reverse Engineering”
3. If Problems “RESTORE”
4. Delete malware
5. Add “Black List”
15. APT Malware Detection 3
2020-08-25 비용효과적인 사이버보안 전략 15
https://us-cert.cisa.gov/northkorea
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
PCDS
Pre Crime Detection Satellite
1. Crawling Web Servers :
• 12 회 6M. 48 회 2 M
2. Analyzing in Regex in Full Depths
3. Update Black List : 200,000 Record
• Under 10,000
국내 주요 클라우드 업체 이용 중
Ransomware 탐지
16. Cyber Security Control 1
2020-08-25 비용효과적인 사이버보안 전략 16
1. https://en.wikipedia.org/wiki/Comprehensive_National_Cybersecurity_Initiative
2. http://www.yes24.com/Product/Goods/40974900
CNCI
Comprehensive National Cybersecurity Initiative
• Governance
• Architecture
• Normal Profile
• Response Capability
17. Cyber Security Control 2
2020-08-25 비용효과적인 사이버보안 전략 17
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Security Control
보안통제 를 지키는지 Rule 규칙을 이용함
18. Cyber Security Control 3
2020-08-25 비용효과적인 사이버보안 전략 18
국가 사이버보안 대응체계 혁신에 관한 연구 KAIST
SPMS
Security Performance (enhancement) System
19. Cost Benefit Analysis 1
2020-08-25 비용효과적인 사이버보안 전략 19
1. Performance Measurement Guide for Information Security , https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-55r1.pdf
Cyber Security Risk Management System
• Security Control Performance Measure
• Like SPMS : Raw Data 수집
• 실무데이터의 분석
• 각 건별 공격성공 확률계산
• 각 건별 비용의 지속적인 관찰
20. Cost Benefit Analysis 2
2020-08-25 비용효과적인 사이버보안 전략 20
1. https://www.federaltimes.com/it-networks/2019/12/11/agencies-achieve-historic-results-on-new-modernization-scorecard/
• Score Card
• 2015년 11월에 Score Card를 시작했을 때 F, D가 있
었고 B는 2개 이었다.
• 스코어 카드는 특정시점이다. 매일 결과를 제공하고
현대화 분야에서 개선되고 있다.
• DHS는 가장 큰 개선을 보았다. 데이터센터 최적화
에서 "A"점수를 받아 전체 "D-"에서 "B"로 뛰어 올
랐다.
• 국무부, 원자력 규제위원회, 사회보장국이 모두 무
너졌다.
• 스코어카드 이후 보고 구조가 개선되었다 . 법에 따
라 기관 CIO는 기관장 또는 대리인에게 보고해야
한다.
• 보건 복지부, 노동부, 법무부, 주 및 NRC 등 5 개 기
관 만이 해당 요건을 준수하지 않았다. 전반적인 점
수는 향상되지 않았다. Government Accountability
Office의 IT 관리문제 Carol Harris 이사에 따르면 3
개 기관은 "허용되는"CIO보고 모델을 보유하고 있
으며 16 개 기관은 적절한 구조를 갖추고 있다.
•
21. Conclusion
2020-08-25 비용효과적인 사이버보안 전략 21
• Quantitative risk management system
• Risk Index = SUM(Control/Target Asset X 100)
• Score Card or Periodic Rule Check Data
• Daily Check :
• Web Apps Security and APT Malware Check
• World Best Tools : Bit Scanner and PCDS
1. https://msexperttalk.com/azure-security-center-cloud-security-posture-management/
A Client’s Security
C Class : 631/880
23. Add 2 Content of Future Book
2020-08-25 비용효과적인 사이버보안 전략 23
I. Cyber Security Abstract
II. Strategy
III. Cyber Security Issues
IV. Penetration Test
V. IDS and Information Warfare
VI. Practical Case
Cyber Security Abstract
1. Strategy
2. Software Security
3. Cloud Security
4. US Cyber Security
5. Incident Case Analysis
6. Cyber Security Jobs
7. Penetration Strategy
8. APT Malware
9. Web Apps
10. Information Warfare
11. IDS
12. Security Measure
13. Risk Managemment